mysql8.0 使用 x509设置加密连接

Posted davie_2020

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了mysql8.0 使用 x509设置加密连接相关的知识,希望对你有一定的参考价值。

mysql8.0 使用 x509设置加密连接

# 使用 x509设置加密连接

[root@db145 data]# ls -lhtr /data/mysql/mysql_3306/data/ | grep pem
-rw------- 1 mysql mysql 1.7K Jun 6 2019 ca-key.pem
-rw-r--r-- 1 mysql mysql 1.1K Jun 6 2019 ca.pem
-rw------- 1 mysql mysql 1.7K Jun 6 2019 server-key.pem
-rw-r--r-- 1 mysql mysql 1.1K Jun 6 2019 server-cert.pem
-rw------- 1 mysql mysql 1.7K Jun 6 2019 client-key.pem
-rw-r--r-- 1 mysql mysql 1.1K Jun 6 2019 client-cert.pem
-rw-r--r-- 1 mysql mysql 452 Jun 6 2019 public_key.pem
-rw------- 1 mysql mysql 1.7K Jun 6 2019 private_key.pem


# 在配置文件中添加如下内容

[client]
ssl-cert = data/client/client-cert.pem
ssl-key = /data/client/client-key.pem

[mysqld]
ssl-ca=/data/mysql/mysql_3306/data/ca.pem
ssl-cert=/data/mysql/mysql_3306/data/server-cert.pem
ssl-key=/data/mysql/mysql_3306/data/server-key.pem

 

# 重启数据库服务

mysql> show variables like %ssl%;
+---------------------------------------------------+---------------------------------------------+
| Variable_name | Value |
+---------------------------------------------------+---------------------------------------------+
| group_replication_recovery_ssl_ca | |
| group_replication_recovery_ssl_capath | |
| group_replication_recovery_ssl_cert | |
| group_replication_recovery_ssl_cipher | |
| group_replication_recovery_ssl_crl | |
| group_replication_recovery_ssl_crlpath | |
| group_replication_recovery_ssl_key | |
| group_replication_recovery_ssl_verify_server_cert | OFF |
| group_replication_recovery_use_ssl | OFF |
| group_replication_ssl_mode | DISABLED |
| have_openssl | YES |
| have_ssl | YES |
| mysqlx_ssl_ca | |
| mysqlx_ssl_capath | |
| mysqlx_ssl_cert | |
| mysqlx_ssl_cipher | |
| mysqlx_ssl_crl | |
| mysqlx_ssl_crlpath | |
| mysqlx_ssl_key | |
| ssl_ca | /data/mysql/mysql_3306/data/ca.pem |
| ssl_capath | |
| ssl_cert | /data/mysql/mysql_3306/data/server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_fips_mode | OFF |
| ssl_key | /data/mysql/mysql_3306/data/server-key.pem |
+---------------------------------------------------+---------------------------------------------+
27 rows in set (0.01 sec)

mysql>

 

将 client-cert.pem client-key.pem 传给客户端
chown -R mysql.mysql /data/client/

# 新建测试账号

mysql> create user user_w@% identified by user_w_pwd require X509;
mysql> grant all privileges on *.* to user_w@%;

 

 

[root@db143 client]# mysql -h 192.168.142.145 --ssl-cert=/data/client/client-cert.pem --ssl-key=/data/client/client-key.pem -uuser_w -p‘user_w_pwd‘
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 16
Server version: 8.0.18 MySQL Community Server - GPL

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type help; or h for help. Type c to clear the current input statement.

mysql> s;
--------------
mysql Ver 8.0.18 for linux-glibc2.12 on x86_64 (MySQL Community Server - GPL)

Connection id: 16
Current database:
Current user: user_w@192.168.142.143
SSL: Cipher in use is TLS_AES_256_GCM_SHA384
Current pager: stdout
Using outfile: ‘‘
Using delimiter: ;
Server version: 8.0.18 MySQL Community Server - GPL
Protocol version: 10
Connection: 192.168.142.145 via TCP/IP
Server characterset: utf8mb4
Db characterset: utf8mb4
Client characterset: utf8mb4
Conn. characterset: utf8mb4
TCP port: 3306
Uptime: 22 min 7 sec

Threads: 3 Questions: 35 Slow queries: 0 Opens: 1162 Flush tables: 3 Open tables: 48 Queries per second avg: 0.026
--------------

ERROR: 
No query specified

mysql> exit

[root@db143 client]# mysql -h 192.168.142.145 -uuser_w -p‘user_w_pwd‘ mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user ‘user_w‘@‘192.168.142.143‘ (using password: YES)
[root@db143 client]#

# 如果是从库的话,需要使用自己的pem

[root@db143 data]# mysql -h 192.168.142.143 --ssl-cert=/data/mysql/mysql_3306/data/client-cert.pem --ssl-key=/data/mysql/mysql_3306/data/client-key.pem -uuser_w -p‘user_w_pwd‘
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 23
Server version: 8.0.18 MySQL Community Server - GPL



Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.




Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.




Type ‘help;‘ or ‘h‘ for help. Type ‘c‘ to clear the current input statement.




mysql> exit
Bye
[root@db143 data]# 


 


以上是关于mysql8.0 使用 x509设置加密连接的主要内容,如果未能解决你的问题,请参考以下文章
 

 使用Navicat远程连接MySQL8.0+版本


 (转)Navicat连接MySQL8.0亲测有效


 navicat连接MySQL8.0.11提示2059错误


 PHP无法连接MYSQL8.0一般处理办法


 PHP无法连接MYSQL8.0一般处理办法


 远程连接mysql8.0,Error No.2058 Plugin caching_sha2_password could not be loaded